Start here

Getting started
Domains & Origins

Domains & Origins
Request settings
Load balancing
Custom VCL
Image optimization

Access Control Lists
Monitoring and testing
Securing communications
Security measures
Web Application Firewall

Logging endpoints
Non-Fastly services

Streaming logs
Debugging techniques
Common errors

Account info
Account management
User access and control


    Log streaming: Amazon S3

      Last updated November 06, 2019

    Fastly's Real-Time Log Streaming feature can send log files to Amazon Simple Storage Service (Amazon S3). Amazon S3 is a static file storage service used by developers and IT teams. You can also use the instructions in this guide to configure log streaming to another S3-compatible service.


    Before adding Amazon S3 as a logging endpoint for Fastly services, we recommend creating an Identity and Access Management (IAM) user in Amazon S3 specifically for Fastly. Grant the user ListBucket, GetObject, and PutObject permissions for the directory in which you want to store logs. For more information, see Amazon's Getting Your Access Key ID and Secret Access Key page.

    Adding Amazon S3 as a logging endpoint

    After you've registered for an Amazon S3 account and created an IAM user in Amazon S3, follow these instructions to add Amazon S3 as a logging endpoint:

    1. Review the information in our Setting Up Remote Log Streaming guide.
    2. Click the Amazon Web Services S3 Create endpoint button. The Create an Amazon S3 endpoint page appears.

      the create a S3 endpoint page

    3. Fill out the Create an Amazon S3 endpoint fields as follows:
      • In the Name field, type a human-readable name for the endpoint.
      • In the Log format field, optionally type an Apache-style string or VCL variables to use for log formatting. The Apache Common Log format string appears in this field by default.
      • In the Timestamp format field, optionally type a timestamp format for log files. The default is an strftime compatible string. Our guide on changing where log files are written provides more information.
      • In the Bucket name field, type the name of the Amazon S3 bucket in which to store the logs.
      • In the Access key field, type the access key associated with the Amazon S3 bucket. See Amazon's documentation on security credentials for more information.
      • In the Secret key field, type the secret key associated with the Amazon S3 bucket. See Amazon's documentation on security credentials for more information.

      • In the Period field, optionally type an interval (in seconds) to control how frequently your log files are rotated. This value defaults to 3600 seconds.
    4. Click the Advanced options link of the Create a new S3 endpoint page and decide which of the optional fields to change, if any.

      the advanced options on the create a new S3 endpoint page

    5. Fill out the Advanced options of the Create an Amazon S3 endpoint page as follows:
      • In the Path field, optionally type the path within the bucket to store the files. The path ends with a trailing slash. If this field is left empty, the files will be saved in the bucket's root path. Our guide on changing where log files are written provides more information.
      • In the Domain field, optionally type the domain of the Amazon S3 endpoint. If your Amazon S3 bucket was not created in the US Standard region, you must set the domain to match the appropriate endpoint URL. Use the table in the S3 section of the Regions and Endpoints Amazon S3 documentation page. If you want to use an S3-compatible storage system (such as Dreamhost's DreamObjects), set the domain to match the domain name for that service (for example, in the case of DreamObjects, the domain name would be
      • In the PGP public key field, optionally type a PGP public key that Fastly will use to encrypt your log files before writing them to disk. You will only be able to read the contents by decrypting them with your private key. The PGP key should be in PEM (Privacy-Enhanced Mail) format. See our guide on log encryption for more information.
      • In the Select a log line format area, select the log line format for your log messages. Our guide on changing log line formats provides more information.
      • In the Placement area, select where the logging call should be placed in the generated VCL. Valid values are Format Version Default, None, and waf_debug (waf_debug_log). Selecting None creates a logging object that can only be used in custom VCL. See our guide on WAF logging for more information about waf_debug_log.
      • In the Gzip level field, optionally type the level of gzip compression you want applied to the log files. You can specify any whole number from 1 (fastest and least compressed) to 9 (slowest and most compressed). This value defaults to 0 (no compression).
      • From the Redundancy level menu, select a setting. This value defaults to Standard. Amazon's Using Reduced Redundancy Storage Guide provides more information on using reduced redundancy storage.
      • From the ACL menu, optionally select an access control header. See Amazon's Access Control List (ACL) Specific Request Headers for more information.
      • In the Server side encryption area, optionally select an encryption method to protect files that Fastly writes to your Amazon S3 bucket. Valid values are None, AES-256, and AWS Key Management Service. If you select AWS Key Management Service, you'll have to provide an AWS KMS Key ID. See Amazon's guide on protecting data using server-side encryption for more information. Our discussion of format strings also provides more information.
    6. Click the Create button to create the new logging endpoint.
    7. Click the Activate button to deploy your configuration changes.
    Back to Top